PRIVACY POLICY OF COMDATA CZECH A.S.
1. Scope of application
This Policy provides information for persons whose personal data is processed by Comdata Czech a.s.(“Comdata” or “Controller”) as the date controller, i.e., Comdata itself determines the purpose and means of the processing of personal data pursuant to Article 4(7) of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council), in particular of:

  • persons who directly requested Comdata to provide them with its services or to submit to them an offer of services or goods of its partners or who granted consent to Comdata to the processing of their personal data for the purpose of offering goods or services of its partners (“Customer”); and
  • contractual partners of Comdata who are natural persons, as well as the persons stated by the contractual partner in the contract concluded with Comdata (“Agent”).

This Policy do not apply to the processing of the personal data of employees and job applicants, who are subject to a special privacy policy as disclosed to them.

If you have been contacted by Comdata employees, please be advised that Comdata usually acts as a personal data processor and your contact details were obtained from a personal data controller who is entitled to process your personal data (usually a provider of a service that you use or to whom you have granted your consent to the processing of personal data). In that case, the processing of your personal data is governed by the policies of the respective data controller.
2. Identification of the Controller and contact details of the data protection officer

 

The Controller is Comdata Czech a.s., Company ID No. 26418037, Prague 9, Drahobejlova 36/1073, Postal Code 19000, incorporated in the Commercial Register kept by the Municipal Court in Prague, Section B, insert 6908.

 

The Controller is Comdata Czech a.s., Company ID No. 26418037, Prague 9, Drahobejlova 36/1073, Postal Code 19000, incorporated in the Commercial Register kept by the Municipal Court in Prague, Section B, insert 6908. The Controller has appointed as the data protection officer Mgr. Zuzana Kunčická, contact: osobni_udaje@comdataczech.cz.

 

3. Overview a processed (types) of personal data

 

The Controller is Comdata Czech a.s., Company ID No. 26418037, Prague 9, Drahobejlova 36/1073, Postal Code 19000, incorporated in the Commercial Register kept by the Municipal Court in Prague, Section B, insert 6908.

 

The Controller is Comdata Czech a.s., Company ID No. 26418037, Prague 9, Drahobejlova 36/1073, Postal Code 19000, incorporated in the Commercial Register kept by the Municipal Court in Prague, Section B, insert 6908. The Controller has appointed as the data protection officer Mgr. Zuzana Kunčická, contact: osobni_udaje@comdataczech.cz.

 

4. Purpose of processing

 

The Controller processes the Customer's personal data for the purpose of providing a service in which the Customer expressed their interest.

 

If the Customer grants their consent to the Controller to be contacted for the purpose of offering goods or services of the Controller's partners, the Controller will process their personal data for the purpose of sending commercial communications (e-mail marketing) and reaching them through telemarketing; the subject of such marketing communications will be offers of the Controller's business partners. In that case, it is so-called voluntary processing of personal data that is carried out on the basis of a consent provided by the Customer.

 

The Controller processes Agents' personal data for the purpose of performance of a relevant contract.

 

5. Legal basis of processing

Právním základem zpracování osobních údajů Zákazníka je

  1. The Customer's consent – we process the Customer's personal data for the purpose of sending commercial communications (e-mail marketing) and telemarketing based on their consent.
  2. Performance and conclusion of a contract – the Controller processes the personal data of the Customers who requested the Controller to submit to them an offer of particular services or goods of a Controller's partner;
  3. Legitimate interest – the Controller processes the personal data of the Customers who expressed their interested in arranging a meeting with a Controller's business partner or in a similar service;

 

The legal basis for the processing of the personal data of the Agents is performance of a contract (if it concerns personal data of the contractual parties – natural persons) or a legitimate interest (if it concerns personal data of persons specified in a contract who are not a contractual party).

 

6. Processing period

 

The Controller will process the Customer's personal data for the following periods

  1. in the case of processing based on the consent of the Customer – for the period for which the consent was granted. If the consent is not limited in time, then until the Customer revokes their consent. However, even after the revocation of the consent, the Controller will process basic data about when and in what matter it contacted the Customer for a reasonable period of time (about 4 years) in order to prove the legitimacy of such contact.
  2. in the case of processing for the performance and conclusion of a contract – for the period as required by the partner whose services or goods the Controller mediated, taking into account the type of the concluded contract, however usually for no longer than 4 years from the date of provision of the Customer's personal data.
  3. in the case of processing for a legitimate interest – for the period necessary for the fulfilment of the purpose of the processing, however, for no longer than 6 months from the date of provision of the Customer's personal data.

 

The Controller will process the personal data of Agents for the term of the respective contract and then for the duration of the limitations period for any claims of the contractual parties arising during the term of the contract, or for the duration of the proceeding on such claims.

 

7. Transfer of personal data to third parties

 

The Controller may only disclose the personal data to third parties only when required to do so by law or with the consent of the data subject. The Controller will disclose the personal data available to the usual extent to data processors or other recipients – suppliers of external services. Further, the personal data may be disclosed to the necessary extent to legal, economic, and tax advisers and auditors.

Personal data of debtors may also be disclosed to debt collection agencies for the purpose of recovering or collecting debts. Upon request or in the case of a suspected illegal conduct, the personal data may also be provided to public authorities.

The Controller will not transfer personal data outside the EU.

 

8. Processing method

 

The method of processing of personal data by the Controller includes both manual and automated processing in the Controller's information systems or their processors. The Controller will process written documents in its card index file.

 

Personal data is disclosed, in particular, to the employees of the Controller in connection with the fulfilment of their work tasks that require disposition of the personal data, however only to the extent necessary and in compliance with all security measures.

 

When processing personal data, the Controller complies with the highest standards of personal data protection and observes these principles:
údajů a dodržuje zejména následující zásady:

 

  1. personal data is processed for a clear and comprehensible purpose, by specified means, in a specified manner, and only for the time necessary for the purposes of its processing; the Controller processes only accurate personal data;
  2. The Controller applies appropriate technical and organizational measures to ensure an adequate level of security; all persons who are disclosed the personal data of the Customers or Agents are bound to maintain confidentiality of such information obtained in connection with the processing of such data.
9. Revocation of consent

 

In cases where the processing of personal data is based on the data subject's consent to the processing of personal data, the data subject has the right to revoke their consent to the processing of their personal data at any time. The revocation of consent of the data subject with the processing of their personal data is without prejudice to the lawfulness of the processing of their personal data prior to the revocation. The revocation of the consent may be sent by e-mail to: osobni_udaje@comdataczech.cz. osobni_udaje@comdataczech.cz.

 

10. Right to object;

 

Pursuant to Article 21 of the GDPR, the data subject has the right to object to the Controller's processing of their personal data for reasons regarding their particular situation if the Controller processes their personal data based on its legitimate interest. When the data subject objects to the processing of their personal data, the Controller will cease processing of their personal data to the extent of the objection raised, unless the Controller proves serious legitimate reasons for the processing that prevail over the interests or rights and freedoms of the data subject or for determination, exercise, or defence of its legal claims.

 

The data subjects may send their objections to the processing by e-mail to osobni_udaje@comdataczech.cz. The e-mail must specify the circumstance that led the data subject to the conclusion that the Controller should not process their personal data.

 

11. Rights of data subjects

In relation to the Controller, natural persons have the right to:

 

  1. request access to their personal data processed by the Controller, i.e., the right to obtain confirmation from the Controller as to whether it processes their personal data, and if so, to gain access such personal data and other information referred to in Article 15 of the GDPR;
  2. request rectification of their personal data if inaccurate (Article 16 GDPR). Taking into account the purposes of processing, they may in some cases also request supplementing incomplete personal data;
  3. request erasure of their personal data in the cases under Article 17 of the GDPR;
  4. request restriction of the processing of their personal data in the cases under Article 18 of the GDPR;
  5. request transfer of their personal data in the cases under Article 20 of the GDPR;
  6. obtain, upon request, their personal data which
  • Comdata processes with their consent; or
  • Comdata processes for the performance of a contract to which the natural person is a contractual party or for the implementation of measures taken prior to the conclusion of a contract; or
  • is processed automatically

in a structured, commonly used, and machine-readable format, including the right to request that their personal data is transmitted directly to another controller according to the terms and limitations under Article 20 GDPR.

 

If the Controller receives such a request, it will inform the data subject on the measures taken without undue delay and in any case within one month of receipt of the request. This period may be extended by another two months, if necessary and in view of the complexity and number of requests. In certain cases set forth in the GDPR, the Controller is not obligated to comply fully or partially with the request. This applies, in particularly, when the request is clearly unsubstantiated or unreasonable, especially if repeated. In such cases, the Controller may (i) charge a reasonable fee reflecting the administrative costs of providing the requested data or communication or carrying out the required actions or (ii) reject the request.

 

If the Controller receives such a request but has reasonable doubts about the identity of the data subject, it may request provision of additional information necessary to confirm their identity.

 

The Controller will store information about the fact that the data subject exercised their rights and the outcome of the request for a reasonable period of time (usually 3 – 4 years) for evidence, statistical purposes, improving services, and protecting its rights.

 

If the data subject believes that the Controller processes their personal data unlawfully or otherwise violates their rights, the data subject may file a complaint with the supervisory authority (i.e. the Office for Personal Data Protection) or seek judicial protection.